What Is a Reverse Proxy?

What’s the Difference Between a Reverse Proxy and a Forward Proxy?

It’s easy to get these two types of proxy servers confused, so let’s break them down.

By sitting in front of a web server, a reverse proxy ensures no clients communicate directly with the server. A forward proxy (another CASB mode) sits in front of client endpoints to intercept incoming requests and ensure no servers communicate directly with a client. These different server types may sound functionally similar, but forward proxies usually depend on a software agent installed on endpoints to forward traffic, while reverse proxies do not.

What Is a Reverse Proxy Server?

“Reverse proxy server” is essentially a more formal term for a reverse proxy. (The same is true of “forward proxy server” for a forward proxy.) Today, we tend to drop “server” because it calls to mind hardware—like a physical box—whereas the technology often takes the form of an application or cloud service.

How Does a Reverse Proxy Work?

Sitting in the flow of traffic, a reverse proxy integrates with an organization’s authentication service (e.g., single sign-on). Once IT configures services and apps to transact with the reverse proxy, the proxy can operate inline without an agent. This offers a straightforward user experience, with incoming traffic to managed cloud apps and the like redirected to the reverse proxy automatically.

Let’s look at this process a bit more closely.

A reverse proxy can protect sensitive data (e.g., PCI data, PII) by acting as a middleman or stand-in for the server on which that data resides. Client requests are routed first to the reverse proxy, then through a specified port in any applicable firewall, and then to the content server—and finally, back again. The client and the server never communicate directly, but the client interprets responses as if they had. Here are the basic steps:

1. Client sends a request, which the reverse proxy intercepts
2. Reverse proxy forwards the incoming request to the firewall (the reverse proxy can be configured to respond directly to requests for files in its cache without communicating with the server—see more detail on this in the use cases)
3. Firewall either blocks the request or forwards it to the server
4. Server sends response through the firewall to the proxy
5. Reverse proxy sends the response to the client

The reverse proxy can also scrub server responses for information that could allow a hacker to redirect to protected internal resources or take advantage of other vulnerabilities.

Open Source Software and Reverse Proxies

Reverse proxies are often built on open source software (OSS) due to the fact that it allows developers to access, modify, and distribute the source code. Many open source reverse proxies offer flexible and customizable features, allowing users to tailor the proxy according to their requirements.

For example, Nginx, Apache, and HAProxy are all reverse proxies that, through their OSS functionality, provide load balancing, caching, SSL offloading, and http request routing. OSS can also be ideal for security purposes, as it allows many eyes to review the code to identify vulnerabilities and propose fixes.

Reverse Proxy Use Cases

Reverse proxying, as a CASB deployment mode, is core to the security service edge (SSE) model alongside secure web gateway (SWG), zero trust network access (ZTNA), and other cloud-delivered security services.

Beyond SSE, common specific use cases for reverse proxies include:

Securing Unmanaged Devices

Many of your employees may use multiple devices for work, including personal ones. Beyond that, plenty of suppliers, partners, and customers may need access to your internal applications on their own unmanaged devices, presenting a risk to your security.

You can install agents such as VPNs to manage devices your organization owns, but unmanaged endpoints are a different story. Third parties won’t let you install agents on their endpoints, and many employees don’t want agents on their personal devices, either. Instead, a reverse proxy offers agentless protection against data leakage and malware from any unmanaged device accessing your cloud applications and resources.

Data Protection

A reverse proxy can enforce data loss prevention policies to prevent accidental or intentional uploads or downloads of sensitive information to or from sanctioned cloud apps. Because it operates inline and inspects encrypted traffic (especially a cloud-based reverse proxy), it can ensure uploaded or downloaded data falls in line with your policies.

Threat Prevention

An infected file in a cloud service can spread to connected apps and devices—especially unmanaged devices. By agentlessly preventing uploads or downloads of infected files to or from cloud resources, a reverse proxy provides advanced threat protection against malware and ransomware.

By nature, reverse proxies also hide servers and their IP addresses from clients, which protects web resources from threats such as distributed denial of service (DDoS attacks).

Load Balancing

Reverse proxies can be used to handle client requests that could otherwise overwhelm a single server with high demand, promoting high availability and better load times by taking pressure off the backend server. They mainly do this in two different ways:

1. A reverse proxy can cache content from an origin server in temporary storage, and then send the content to clients that request it without further transacting with the server (this is called web acceleration). A domain name system (DNS) can be used to route requests evenly among multiple reverse proxies.

If a large website or other web service uses multiple origin servers, a reverse proxy can distribute requests among them to ensure even server loads.

Benefits of Using a Reverse Proxy

With those use cases in mind, the advantages of using a reverse proxy fall into three main areas:

• Data security and threat prevention: Reverse proxies provide web application firewall (WAF) functionality by monitoring and filtering traffic (including encrypted traffic) between managed and unmanaged endpoints and the web server, protecting it from SQL injection, cross-site scripting, and other cyberattacks.
• Scalability and resource management: This is a two-part benefit. Reverse proxies support operational scale by eliminating the need to install agents on every user endpoint before you can offer secure access to managed resources. They also support infrastructure scale through capabilities such as server load balancing, API traffic management, and more.
• Performance and productivity: Cloud-based reverse proxies can analyze and apply security policies to traffic, including remote user traffic, without backhauling it through your data center, which is key for end user performance optimization. They also have effectively unlimited scale for inspecting TLS/SSL traffic (the majority of today’s traffic), whereas appliance-based firewalls and proxies can rarely inspect TLS/SSL encryption without major performance drops.

Challenges of Reverse Proxies

Reverse proxies offer notable security benefits when it comes to securing unmanaged devices and enterprise applications, but they bring notable shortcomings, too, such as:

• No security for unmanaged resources: If a user needs secure access to an app or resource that’s not integrated with your SSO, it’s outside a reverse proxy’s purview. Reverse proxies only monitor traffic destined for sanctioned resources, not all traffic—to secure unsanctioned resources in the same way, you’ll need a forward proxy.
• Risk of frequent breakage: Reverse proxies are typically hardcoded to work with specific versions of applications, so when an application is updated and new code is sent to the proxy, it can break. This can make the updated application unavailable until the proxy can be recoded, which leads to frustrated users and lost productivity.

A Better Way: Cloud-Based Browser Isolation

Today, more organizations are turning to cloud-based browser isolation to avoid the limitations and breakage risks of reverse proxies while still enabling secure use of unmanaged devices without endpoint agents.

When a user accesses a managed cloud application, Zscaler Cloud Browser Isolation virtualizes the session and renders content in an isolated environment in the cloud, sending the session to the user as a stream of pixels. The user experience is identical to the native experience of that cloud app, except that CBI prevents unmanaged devices from downloading, copying, pasting, or printing the sensitive data found in the app.

This makes CBI the ideal way to support flexibility and productivity for your extended user base while preventing accidental leakage, malicious exfiltration, and malware proliferation via unmanaged devices.

Zscaler Cloud-Based Browser Isolation

Zscaler Browser Isolation™ provides unmatched defense against web-based data leakage and threats, powered by the industry's most advanced zero trust web isolation.

An Unmatched User Experience

Get lightning-speed connections to apps and websites with our unique pixel-streaming technology and direct-to-cloud proxy architecture. Users receive a high-performance stream of pixels in their browser, offering security without cutting into productivity.

Consistent Protection for Users Anywhere

Protect any user, on any device, in any location with a zero trust isolation policy that spans headquarters, mobile or remote sites, and highly targeted functions and departments.

Less Management Hassle

Deploy and manage in seconds, leveraging Zscaler Client Connector or an agentless option to route traffic through the Zscaler Zero Trust Exchange™ with its native Browser Isolation integration.

Universal Compatibility

Enjoy coverage for all major web browsers to suit user preferences. Cookie persistence for isolated sessions keeps users’ key settings, preferences, and sign-on information intact.